Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Use Download Bombs To Freeze Chrome Browsers on Shady Sites (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader shares a report: The operators of some tech support scam websites have found a new trick to block visitors on their shady sites and scare non-technical users into paying for unneeded software or servicing fees. The trick relies on using JavaScript code loaded on these malicious pages to initiate thousands of file download operations that quickly take up the user's memory resources, freezing Chrome on the scammer's site. The trick is meant to drive panicked users into calling one of the tech support phone numbers shown on the screen. According to Jerome Segura -- Malwarebytes leading expert in tech support scam operations, malvertising, and exploit kits -- this new trick utilizes the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to achieve the "download bomb" that freezes Chrome.

24 of 72 comments (clear)

  1. Who's to blame? by mrbester · · Score: 1, Flamebait

    An immediate concern is why a method with a Microsoft specific vendor prefix is implemented and targetable in Chrome in the first place.

    TFA doesn't mention anything about IE/Edge being affected. If it is that would be understandable. They might not have checked, but there is also no reference to any other OS than Windows. Does that mean that msSaveOrOpenBlob is only implemented on the Windows version of Chrome and if so, why?

    --
    "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    1. Re:Who's to blame? by AvitarX · · Score: 2

      On Apple it causes a hang warning with an option to force close, doing so kills only the tab in question.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  2. On all platforms? by 140Mandak262Jamuna · · Score: 1

    Wouldn't renice 32 -p $pid fix it for linux/unix?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. msSaveOrOpen on Chrome? by Anonymous Coward · · Score: 1

    The ms prefix is a clue that it is Microsoft-only

    navigator.msSaveOrOpen doesn't exist for either Chrome or Firefox

    Nice try, no cigar.

    1. Re:msSaveOrOpen on Chrome? by TFlan91 · · Score: 4, Informative

      I was coming here to say just this.

      Only in IE do you use navigator.msSaveOrOpenBlob

      In Chrome / FF / Safari, you use FileReader.

      So this sentence:

      "this new trick utilizes the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to achieve the "download bomb" that freezes Chrome"

      Straight PR move to cast shade on Chrome

    2. Re:msSaveOrOpen on Chrome? by thegarbz · · Score: 1

      So was it a fake recording in the article showing Chrome?

      Maybe Chrome should depreciate it.

  4. Re:Javascript in the browser *is* the malware by Anonymous Coward · · Score: 3, Insightful

    Says someone weeks after Meltdown was demonstrated... running as Javascript in a browser.

    Way to go!.

  5. This should be say to fix on the client side by mark-t · · Score: 2

    When a download is initiated by javascript, the browser should pop up a simple dialogue (non modal, but otherwise an "on top" window so they can continue to otherwise use the browser) to confirm the download with a yes/no. Permit only one of these dialogue windows at a time. Other threads wanting to pop up the dialogue can be suspended until the current dialogue is dismissed Threads requesting a download can be handled on a first come first serve.basis.

    --
    File under 'M' for 'Manic ranting'
    1. Re:This should be say to fix on the client side by TFlan91 · · Score: 1

      Chrome actually does do this.

      When I use JS to initiate multiple downloads, Chrome detects this, stops it, and asks me to continue.

      This article is really about IE.

    2. Re:This should be say to fix on the client side by duke_cheetah2003 · · Score: 1

      When a download is initiated by javascript, the browser should pop up a simple dialogue (non modal, but otherwise an "on top" window so they can continue to otherwise use the browser) to confirm the download with a yes/no. Permit only one of these dialogue windows at a time. Other threads wanting to pop up the dialogue can be suspended until the current dialogue is dismissed Threads requesting a download can be handled on a first come first serve.basis.

      A thousand times: NO!

      Been there, done that, you implement something like that, you end up having to click NO a jagillion times to dismiss all the queued up downloads. Stupid.

    3. Re:This should be say to fix on the client side by Anonymous Coward · · Score: 1

      No, it's about Chrome. The example in the article is Chrome. It is entirely possible that the vulnerability comes from Chrome trying to re-interpret an old MS specific HTML instruction, but it is a Chrome issue.

    4. Re:This should be say to fix on the client side by mark-t · · Score: 1

      No, you don't.

      As I said, the dialogue is not modal, so there is nothing stopping you from closing the offending page when one of these pops up without necessarily closing the entire browser. Before the dialog even opens, the thread that is opening the dialog can interrogate the client to see if the web page that spawned it is even still active. If it is, then it proceeds, but if not, then it aborts without even showing the dialog at all. Only one of these would ever be shown at one time, so you don't get a bajllion of them at once... they would be responded to on a first-come-first-serve basis. As soon as you dismiss such a dialog after having closed the offending tab or otherwise changed the web page that was loaded in that window, since the web page that was making the js request is closed, all of the other requests that may have been wanting to initiate a download and were suspended, waiting to show the dialog could be silently aborted.

      This is honestly entirely trivial to implement in software. The code to manage it in any modern high level language could *EASILY* fit into less than a single printed page.

      --
      File under 'M' for 'Manic ranting'
  6. Re:Not surprising by wbr1 · · Score: 1

    Chromium is open... what are you blathering about?

    --
    Silence is a state of mime.
  7. window.navigator.msSaveOrOpenBlob by zifn4b · · Score: 4, Insightful

    Only works on Microsoft browsers. I don't see a problem here.

    --
    We'll make great pets
    1. Re:window.navigator.msSaveOrOpenBlob by thegarbz · · Score: 3, Interesting

      Only works on Microsoft browsers. I don't see a problem here.

      And yet the screenshot shows it running on Chrome. I have no doubt that Microsoft is at fault or that Microsoft browsers are affected, but clearly it seems to work on Chrome just fine.

    2. Re:window.navigator.msSaveOrOpenBlob by zifn4b · · Score: 1

      You're not a developer probably so you don't understand the difference. Try reading this. Not sure you will get it though but good luck.

      --
      We'll make great pets
    3. Re:window.navigator.msSaveOrOpenBlob by thegarbz · · Score: 1

      You're not good at arguing so you probably don't understand the difference. But your post doesn't invalidate the original point which is that the exploit is shown working in Chrome.

  8. Have you tried turning it off and on again? by VeryFluffyBunny · · Score: 1

    Hard-code this into web browsers' error messages.

    --
    Debate is a form of harassment. Do not question my truth.
  9. Re:Not surprising by HiThere · · Score: 1

    Well, Chrome is not Chromium, but my guess is what he meant was that MSWindows has one application grab the entire screen, the way Gnome3 does. (I think I heard that Gnome3 copied that atrocious idea from MSWindows).

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  10. Re:Javascript in the browser *is* the malware by Chris+Mattern · · Score: 1

    The text only web is dead grandpa

    Only because people have repeatedly shown that they must have the pretty shinies, even if it completely compromises their security. And then they wonder why security is shit.

  11. Re:this is why run adblock in the past flashloaded by taustin · · Score: 1, Insightful

    I disagree. Some people make far more sense when they're incoherent.

  12. Just try foxnews.com on your phone by Applehu+Akbar · · Score: 1

    After a few seconds of viewing the headlines, a scammy popup ad will dominate the screen and prevent you from clicking on any link on the site.

  13. Re:Not surprising by wbr1 · · Score: 1
    Windows does not allow one app to grab the focus and hold it without malicious trickery. The only thing that could is kernel level processes like UAC prompts. This has been the case for a long time.

    Of course an app can have modal windows within itself for UI reasons - this is perfectly normap

    In this case because chrome (and other apps) cannot legally lock the system UI, they do it by thrashing disk IO (which certainly has a large effect on memory and CPU utilization too), effectively freezing the system. IE a malicious workaround.

    My point about chromium is that if the GP was lamenting chrome not being open source and vetted, he is wrong - most of it can be. The major differences between chromium and chrome are the pdf viewer, and some proprietary media codecs that are closed and built into chrome. While I do not agree with some of what google does, Chrome is not malware and is probably the best browser out there.

    --
    Silence is a state of mime.
  14. Re:Not surprising by HiThere · · Score: 1

    Actually, saying "it's the best browser" assumes a particular use case. I've tried Chromium, etc., and for my use case Firefox is still the best browser I've encountered, with Konqueror a distant second. This is even after the GUI changes that they've made in the last few years. (OTOH, I'm currently using version 52.6, and it's quite possible that they've made changes that would change my mind.)

    But those are the only two browsers I've encountered that let me set up and nicely display a folder of nested folders of bookmarks while browsing. This is one of my "mandatory features". Some other browsers let me have a nicely displayed folder of bookmarks, but the part about nested folders is quite valuable to me.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.